Detailed Action
1.	 The present application is being examined under the pre-AIA  first to invent provisions. Applicant’s amended claims dated March 31st, 2021 responding to the January 7th, 2021 Office Action provided in the rejection of claims 1-24. 

Status of Claims
2.	Claims 1-7 and 13-19 have been amended. Claims 1-24 are pending in the application, of which claims 1 and 12 are in independent form and these claims (1-24) are subject to following rejection(s) and/or objection(s) indicated under section and subsections of No. 3 below. 
Response to the Amendments
3.	Regarding art rejection: In regards to claims 1-24 Applicants arguments are not persuasive; further, Applicants' amendment necessitated new grounds of rejections presented in the following art rejection.



Claim Rejections – 35 USC §103
4.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.
5.	Claims 10-12 and 22-24 are rejected under 35 U.S.C. 103 as being unpatentable over Wesie et al. (US Patent Application Publication No. 2015/0135313 A1 [IDS of record] -herein after Wesie) in view of Janos Yang et al. (US Patent Application Publication No. 2015/0363198 A1 herein after Yang).
Per claim 1:
Wesie discloses: 
A device for reinforcing control flow integrity (CFI) of a software application (At least see ¶[0017] -improved CFI system and method of the present invention) comprising: 
a processor (At least see ¶[0018] -improved CFI system and method may be implemented on a computing system that includes processors); and 
a non-transitory media readable by the processor, the non-transitory media storing instructions that, when executed by the processor (At least see ¶[0133] -system and method of the present invention may be implemented in computer hardware, firmware, and/or computer programs executing on programmable computers or servers that each includes a processor and a storage medium readable by the processor), facilitate the device carrying out a method comprising: 
code generated by compiling the first source code file for the software application (At least see ¶[0051] -binary to be executed is shown at 230 of FIG. 2. The entry point for the binary Program.exe is shown at 232. The Native code and data for Program.exe are shown at 234 and it is located at "Loc. X" in an appropriate memory), and 
a compiled indirect function call (At least see ¶[0027] -FIG. 4 shows a representative flow diagram for indirect call control transfers shown in FIG. 3), wherein the first source code file is received by the device (At least see ¶[0005] -CFI enforcement, it is carried out through the use of a Control Flow Graph ("CFG"). The CFG dictates the software execution path. Conventionally, the CFG can be defined by analysis, such as, source-code analysis), and the first source code file comprises functions and indirect function calls (At least see ¶[0058] -improved CFI system and method enforced using (1) a call instruction to redirect control flow to a function and (2) a return instruction control flow to the call instruction); 
associating a CFI check function to the  compiled indirect function call in the first binary file, such that during execution of the first binary file (At least see ¶[0035] -improved CFI system and method of the present invention, CFI instrumentation inserts two tags to execute label identification. The first tag is positioned before any instruction that would result in an indirect control flow transfer and requires the program to execute a check), the CFI check function is executed prior to executing the compiled indirect function call (At least see ¶[0053] -a general overview of the CFI system of the present invention is shown generally at 300. According to FIG. 3, a binary code 302, the Call Site, has CFI stub 304 inserted in it before indirect control transfer "call foo ( )" 306. CFI stub 304 will include a validation tag that will be compared with the call tag at 312 of Callee (foo) 310); and 
adding a function, referred to in the compiled indirect function call, to a reduced function table (RFT) (At least see ¶[0068] -prior to code execution, operating dynamically at runtime or statically by hooking pointers to memory locations of instrumented code. The system of the present invention operates the instrumented code using a separate table, distinct from the structure of certain linkages by using a server to generate hooks and instrumented code). 
Wesie sufficiently discloses the system/device as set forth above, but Wesie does not explicitly disclose: obtaining a first binary file by compiling a first source code file received by the device, wherein the first source code file comprises functions and an indirect function call, and wherein the first binary file comprises: a compiled indirect function call rendered by compiling the indirect function call.

However, Yang discloses:
 obtaining a first binary file by compiling a first source code file received by the device (At least see [0008] - a binary executable object to generate assembly language source code), wherein the first source code file comprises functions and an indirect function call (At least see [0008] - assembly language source code includes one or more indirect function calls), and wherein the first binary file comprises: 
a compiled indirect function call rendered by compiling the indirect function call (At least see [0020] –source code that includes indirect function calls is compiled, the indirect function calls are compiled into special CPU instruction).
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to incorporate Yang into Wesie’s invention because Yang’s teaching an advantageous technique that would allow a disassembler to accurately track functions called by indirect function calls in disassembled code; therefore, disassembler automatically corrects function names associated indirect function calls, a user does not have to manually examine each indirect function call individually to correct the values, wherein disassembler corrects the values as the targeted module is running quality of disassembly is significantly improved relative to more conventional disassembly techniques, such as static disassembly and dynamic debugging as once suggested by Yang (please see [0016]).

Per claim 2:
Wesie discloses: 
executing the first binary file, wherein during the executing the first binary file, the CFI check function is executed multiple times (At least see ¶[0017] - first tag is positioned before any instruction that would result in an indirect control flow transfer and requires the program to execute a check), and wherein during each one of the multiple times the CFI check function is executed, the (At least see ¶[0054] - CFI call stub will include a tag. At 404, the target program's call tag is read. The decision block at 406 determines whether there is a match of the tags. If there is a match, there is a valid tag at the Callee program and the process will proceed to 408 and the target function will be called); and 
executing, in accordance with determining the function referred to in an associated indirect function call is contained within the RFT, the compiled indirect function call (At least see ¶[0068] -prior to code execution, operating dynamically at runtime or statically by hooking pointers to memory locations of instrumented code. The system of the present invention operates the instrumented code using a separate table, distinct from the structure of certain linkages by using a server to generate hooks and instrumented code).  

Per claim 3: 
Wesie discloses: 
loading the first binary file for execution (At least see ¶[0021] - loading of, and execution of modified binaries for operating systems); 
updating a binary map with an address referred to in a load command (At least see ¶[0022] - a cache for rewritten binaries, allowing for the inclusion of Windows DLLs, as well as third-party DLLs, allowing for rapid application loading, management of binary-level updates); 
updating a runtime function table with a function referred to in an indirect external function call in accordance with executing an assignment of the indirect external function call in the first binary file (At least see ¶[0080] - hash table is an added component to the binary execution process. The hash table is a static structure that is appended to the end of the modified (rewritten) binary code. The hash table will contain pointers from the Native code section of the binary code to the code's logically equivalent section of the rewritten code); 
executing the first binary file, wherein during the executing the first binary file, the CFI check function is executed multiple times, and wherein during each one of the multiple times the CFI heck function is executed, the CFI check function determines if-a function referred to in an associated indirect function call is contained within the RFT (At least see ¶[0068] -prior to code execution, operating dynamically at runtime or statically by hooking pointers to memory locations of instrumented code. The system of the present invention operates the instrumented code using a separate table, distinct from the structure of certain linkages by using a server to generate hooks and instrumented code); and 
executing, in accordance with determining the function referred to in an associated indirect function call is contained within the RFT, the compiled indirect function call (At least see ¶[0068] -prior to code execution, operating dynamically at runtime or statically by hooking pointers to memory locations of instrumented code. The system of the present invention operates the instrumented code using a separate table, distinct from the structure of certain linkages by using a server to generate hooks and instrumented code).  

Per claim 4: 
Wesie discloses: 
loading the first binary file for execution (At least see ¶[0021] - loading of, and execution of modified binaries for operating systems); 
updating a binary map with an address referred to in a load command in accordance with executing the load command in the first binary file (At least see ¶[0107] - every rewritten library that is loaded, there are a series of entries made into the memory bitmap. For each page of virtual memory allocated to a library, the address of the virtual memory page is added as a lookup value in the memory bitmap at 1142, 1144, and 1146); 
updating a runtime function table with a function referred to in an indirect external function call in accordance with executing an assignment of the indirect external function call in the first binary file (At least see ¶[0050] - process step 224 where dependent libraries are recursively imported to the child process. These libraries are received from the import tables stored in Program.exe and every loaded library. Following the import of dependent libraries, the child process is transmitted to process step 225. At process step 225, the Program.exe entry point is called. The entry point is a location that represents the beginning of the code for execution); and 
executing the first binary file, wherein during the executing the first binary file, the CFI check function is executed (At least see ¶[0035] -improved CFI system and method of the present invention, CFI instrumentation inserts two tags to execute label identification. The first tag is positioned before any instruction that would result in an indirect control flow transfer and requires the program to execute a check), wherein the method further comprises first determining, in accordance with executing the CFI check function, a function referred to in an associated indirect function call is not contained within the RFT (At least see ¶[0115] -improved CFI system method the present invention, a preferable type of the disassembler uses a code traversal algorithm starting at the Program.exe entry point. The processing at this step will reveal all the pointers in the sections of the disassembled binary code. Once the pointers have been revealed, the process will conduct a recursive descent traversal on each of these pointers to ensure that all of the code sections are covered. During this process of conducting the recursive descent traversal on the pointers, there are determinations whether any of the sections are program data that cannot be executed);Application No. 16/552,534Preliminary Amendment Attorney Ref. HW744883and 
executing, in accordance with the first determining a function referred to in an associated indirect function call is not contained within the RFT, the associated indirect function call (At least see ¶[0068] -prior to code execution, operating dynamically at runtime or statically by hooking pointers to memory locations of instrumented code. The system of the present invention operates the instrumented code using a separate table, distinct from the structure of certain linkages by using a server to generate hooks and instrumented code), after further determining: 
the function referred to in the associated indirect function call is contained within a second binary file having an address contained in the binary map, and the second binary file is determined to have been compiled in a legacy manner (At least see ¶[0130] -If there is an entry in the hash table as shown at 1122, which points to an entry in the rewritten code in rewritten code 1120, execution is turned over to the address in the rewritten code as shown at 1140 of vectorized exception handler 1124. Since there is a mapping, the instruction pointer is set to 0xB and binary execution continues).  

Per claim 5:
Wesie discloses: 
loading the first binary file for execution (At least see ¶[0021] - loading of, and execution of modified binaries for operating systems); 
updating a binary map with an address referred to in a load command in accordance with executing the load command in the first binary file updating a runtime function table with a function referred to in an indirect external function call in accordance with executing an assignment of the indirect external function call (At least see ¶[0022] - a cache for rewritten binaries, allowing for the inclusion of Windows DLLs, as well as third-party DLLs, allowing for rapid application loading, management of binary-level updates); 
executing the first binary file (At least see ¶[0021] -modification of, loading of, and execution of modified binaries for operating systems), 
wherein during the executing the first binary file, the CFI check function is executed, wherein the method further comprises first determining, in accordance with executing the CFI check function, a function referred to in an associated indirect function call is not contained within the RFT (At least see ¶[0115] -improved CFI system method the present invention, a preferable type of the disassembler uses a code traversal algorithm starting at the Program.exe entry point. The processing at this step will reveal all the pointers in the sections of the disassembled binary code. Once the pointers have been revealed, the process will conduct a recursive descent traversal on each of these pointers to ensure that all of the code sections are covered. During this process of conducting the recursive descent traversal on the pointers, there are determinations whether any of the sections are program data that cannot be executed); and 
executing, in accordance with the first determining a function referred to in an associated indirect function call is not contained with the RFT, the associated indirect function call (At least see ¶[0068] -prior to code execution, operating dynamically at runtime or statically by hooking pointers to memory locations of instrumented code. The system of the present invention operates the instrumented code using a separate table, distinct from the structure of certain linkages by using a server to generate hooks and instrumented code), after further determining: 
the function referred to in the associated indirect function call is contained within a second binary file having an address contained in the binary map (At least see ¶[0020] -A control flow map is generated with recursive-to-linear code analysis and the proper indirect transfer locations are then catalogued in a white-list.exp file. If there are any attempts to effect indirect control transfer, such a transfer is cross-referenced against the .exp file to determine if the target is valid), 
the second binary file is determined to not have been compiled in a legacy manner (At least see ¶[0012] -instrumentation would be designed for potential application only to programs that incorporate its protections before the code is compiled and, as such, there could be strong familiarity with the knowledge of the code), andApplication No. 16/552,534Preliminary Amendment 
Attorney Ref. HW744883the function referred to in the associated indirect function call is contained within a reduced function table associated with the second binary file (At least see ¶[0068] -prior to code execution, operating dynamically at runtime or statically by hooking pointers to memory locations of instrumented code. The system of the present invention operates the instrumented code using a separate table, distinct from the structure of certain linkages by using a server to generate hooks and instrumented code).  

Per claim 6: 
Wesie discloses: 
loading the first binary file for execution (At least see ¶[0021] - loading of, and execution of modified binaries for operating systems); 
updating a binary map with an address referred to in a load command (At least see ¶[0022] - a cache for rewritten binaries, allowing for the inclusion of Windows DLLs, as well as third-party DLLs, allowing for rapid application loading, management of binary-level updates); 
updating a runtime function table with a function referred to in an indirect external function call in accordance with executing an assignment of the indirect external function call in the first binary file (At least see ¶[0080] - hash table is an added component to the binary execution process. The hash table is a static structure that is appended to the end of the modified (rewritten) binary code. The hash table will contain pointers from the Native code section of the binary code to the code's logically equivalent section of the rewritten code); and  
executing the first binary file, wherein during the executing the first binary file, the CFI check function is executed, wherein the method further comprises first determining, in accordance with executing the CFI check function, a function referred to in an associated indirect function call is not contained within the RFT (At least see ¶[0115] -improved CFI system method the present invention, a preferable type of the disassembler uses a code traversal algorithm starting at the Program.exe entry point. The processing at this step will reveal all the pointers in the sections of the disassembled binary code. Once the pointers have been revealed, the process will conduct a recursive descent traversal on each of these pointers to ensure that all of the code sections are covered. During this process of conducting the recursive descent traversal on the pointers, there are determinations whether any of the sections are program data that cannot be executed); and 
executing, in accordance with the first determining, a function referred to in an associated indirect function call is not contained with the RFT, the associated indirect function call (At least see ¶[0068] -prior to code execution, operating dynamically at runtime or statically by hooking pointers to memory locations of instrumented code. The system of the present invention operates the instrumented code using a separate table, distinct from the structure of certain linkages by using a server to generate hooks and instrumented code), after further determining:  
function referred to in the associated indirect function call is contained within a second binary file having an address contained in the binary map, the second binary file is determined to not have been compiled in a legacy manner (At least see ¶[0068] -prior to code execution, operating dynamically at runtime or statically by hooking pointers to memory locations of instrumented code. The system of the present invention operates the instrumented code using a separate table, distinct from the structure of certain linkages by using a server to generate hooks and instrumented code), 
the function referred to in the associated indirect function call is not contained within a reduced function table associated with the second binary file (At least see ¶[0115] -improved CFI system method the present invention, a preferable type of the disassembler uses a code traversal algorithm starting at the Program.exe entry point. The processing at this step will reveal all the pointers in the sections of the disassembled binary code. Once the pointers have been revealed, the process will conduct a recursive descent traversal on each of these pointers to ensure that all of the code sections are covered. During this process of conducting the recursive descent traversal on the pointers, there are determinations whether any of the sections are program data that cannot be executed), and 
the function referred to in the associated indirect function call is contained in the runtime function table (At least see ¶[0054] - CFI call stub will include a tag. At 404, the target program's call tag is read. The decision block at 406 determines whether there is a match of the tags. If there is a match, there is a valid tag at the Callee program and the process will proceed to 408 and the target function will be called).  

Per claim 7: 
Wesie discloses: 
loading the first binary file for execution (At least see ¶[0021] - loading of, and execution of modified binaries for operating systems); updating a binary map with an address referred to in a load command in accordance with executing the load command in the first binary file (At least see ¶[0022] - a cache for rewritten binaries, allowing for the inclusion of Windows DLLs, as well as third-party DLLs, allowing for rapid application loading, management of binary-level updates); 
updating a runtime function table with a function referred to in an indirect external function call in accordance with executing an assignment of the indirect external function call in the first binary file (At least see ¶[0080] - hash table is an added component to the binary execution process. The hash table is a static structure that is appended to the end of the modified (rewritten) binary code. The hash table will contain pointers from the Native code section of the binary code to the code's logically equivalent section of the rewritten code); 
executing the first binary file, wherein during the executing the first binary file, the CFI check function is executed, wherein the method further comprises first determining, in accordance with executing the CFI check function, a function referred to in an associated indirect function call is not contained within the RFT (At least see ¶[0053] -a general overview of the CFI system of the present invention is shown generally at 300. According to FIG. 3, a binary code 302, the Call Site, has CFI stub 304 inserted in it before indirect control transfer "call foo ( )" 306. CFI stub 304 will include a validation tag that will be compared with the call tag at 312 of Callee (foo) 310, also see ¶[0054] - CFI call stub will include a tag. At 404, the target program's call tag is read. The decision block at 406 determines whether there is a match of the tags. If there is a match, there is a valid tag at the Callee program and the process will proceed to 408 and the target function will be called); and 
executing, in accordance with the first determining a function referred to in an associated indirect function call is not contained with the RFT, the associated indirect function call (At least see ¶[0068] -prior to code execution, operating dynamically at runtime or statically by hooking pointers to memory locations of instrumented code. The system of the present invention operates the instrumented code using a separate table, distinct from the structure of certain linkages by using a server to generate hooks and instrumented code), after further determining: 
the function referred to in the associated indirect function call is contained within a second binary file having an address contained in the binary map, and the function referred to in the associated indirect function call is contained in the runtime function table (At least see ¶[0022] - a cache for rewritten binaries, allowing for the inclusion of Windows DLLs, as well as third-party DLLs, allowing for rapid application loading, management of binary-level updates).  

Per claim 8: 
Wesie discloses: 
runtime function table is stored in a protected non-transitory media readable by the processor (At least see ¶[0095] -Hash table 808 is preferably loaded into non-executable memory).  

Per claim 9: 
Wesie discloses: 
binary map is stored in a protected non-transitory media readable by the processor (At least see ¶[0077] - memory bitmap is a runtime data structure that provides a resolution mechanism for the location of remapped code).  

Per claim 13: 
Wesie discloses: 
A method for reinforcing control flow integrity (CFI) of a software application using a computing device (At least see ¶[0017] -improved CFI system and method of the present invention), the method comprising: 
code generated by compiling a first source code file for the software application (At least see ¶[0051] -binary to be executed is shown at 230 of FIG. 2. The entry point for the binary Program.exe is shown at 232. The Native code and data for Program.exe are shown at 234 and it is located at "Loc. X" in an appropriate memory), and a compiled indirect function call (At least see ¶[0027] -FIG. 4 shows a representative flow diagram for indirect call control transfers shown in FIG. 3), wherein the first source code file is received by the device, and the first source code file comprises functions and indirect function calls (At least see ¶[0005] -CFI enforcement, it is carried out through the use of a Control Flow Graph ("CFG"). The CFG dictates the software execution path. Conventionally, the CFG can be defined by analysis, such as, source-code analysis); 
associating, during compiling the first source code file, a CFI check function in the first binary file with the compiled indirect function call in the first binary files such that during execution of the first binary file (At least see ¶[0035] -improved CFI system and method of the present invention, CFI instrumentation inserts two tags to execute label identification. The first tag is positioned before any instruction that would result in an indirect control flow transfer and requires the program to execute a check), the CFI check function is executed prior to executing the compiled indirect function call (At least see ¶[0053] -a general overview of the CFI system of the present invention is shown generally at 300. According to FIG. 3, a binary code 302, the Call Site, has CFI stub 304 inserted in it before indirect control transfer "call foo ( )" 306. CFI stub 304 will include a validation tag that will be compared with the call tag at 312 of Callee (foo) 310); and 
adding a function, referred to in the compiled indirect function call, to a reduced function table (RTF) (At least see ¶[0068] -prior to code execution, operating dynamically at runtime or statically by hooking pointers to memory locations of instrumented code. The system of the present invention operates the instrumented code using a separate table, distinct from the structure of certain linkages by using a server to generate hooks and instrumented code).  
Wesie sufficiently discloses the system/device as set forth above, but Wesie does not explicitly disclose: obtaining a first binary file by compiling a first source code file received by the device.

However, Yang discloses:
 obtaining a first binary file by compiling a first source code file received by the device (At least see [0008] - a binary executable object to generate assembly language source code), wherein the first source code file comprises functions and an indirect function call (At least see [0008] - assembly language source code includes one or more indirect function calls). 
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to incorporate Yang into Wesie’s invention because Yang’s teaching an advantageous technique that would allow a disassembler to accurately track functions called by indirect function calls in disassembled code; therefore, disassembler automatically corrects function names associated indirect function calls, a user does not have to manually examine each indirect function call individually to correct the values, wherein disassembler corrects the values as the targeted module is running quality of disassembly is significantly improved relative to more conventional disassembly techniques, such as static disassembly and dynamic debugging as once suggested by Yang (please see [0016]).

Per claim 14: 
Wesie discloses: 
executing the first binary file, wherein during the executing the first binary file, the CFI check function is executed multiple times (At least see ¶[0017] - first tag is positioned before any instruction that would result in an indirect control flow transfer and requires the program to execute a check), and wherein during each one of the multiple times the CFI check function is executed, the (At least see ¶[0054] - CFI call stub will include a tag. At 404, the target program's call tag is read. The decision block at 406 determines whether there is a match of the tags. If there is a match, there is a valid tag at the Callee program and the process will proceed to 408 and the target function will be called); and 
executing, in accordance with determining the function referred to in an associated indirect function call is contained within the RFT, the compiled indirect function call (At least see ¶[0068] -prior to code execution, operating dynamically at runtime or statically by hooking pointers to memory locations of instrumented code. The system of the present invention operates the instrumented code using a separate table, distinct from the structure of certain linkages by using a server to generate hooks and instrumented code).  

Per claim 15: 
Wesie discloses: 
loading the first binary file for execution (At least see ¶[0021] - loading of, and execution of modified binaries for operating systems); 
updating a binary map with an address referred to in a load command (At least see ¶[0022] - a cache for rewritten binaries, allowing for the inclusion of Windows DLLs, as well as third-party DLLs, allowing for rapid application loading, management of binary-level updates); 
updating a runtime function table with a function referred to in an indirect external function call in accordance with executing an assignment of the indirect external function call in the first binary file (At least see ¶[0080] - hash table is an added component to the binary execution process. The hash table is a static structure that is appended to the end of the modified (rewritten) binary code. The hash table will contain pointers from the Native code section of the binary code to the code's logically equivalent section of the rewritten code); 
executing the first binary file, wherein during the executing the first binary file, the CFI check function is executed multiple times, and wherein during each one of the multiple times the CFI heck function is executed, the CFI check function determines if-a function referred to in an associated indirect function call is contained within the RFT (At least see ¶[0068] -prior to code execution, operating dynamically at runtime or statically by hooking pointers to memory locations of instrumented code. The system of the present invention operates the instrumented code using a separate table, distinct from the structure of certain linkages by using a server to generate hooks and instrumented code); and 
executing, in accordance with determining the function referred to in an associated indirect function call is contained within the RFT, the compiled indirect function call (At least see ¶[0068] -prior to code execution, operating dynamically at runtime or statically by hooking pointers to memory locations of instrumented code. The system of the present invention operates the instrumented code using a separate table, distinct from the structure of certain linkages by using a server to generate hooks and instrumented code).  

Per claim 16: 
Wesie discloses: 
loading the first binary file for execution (At least see ¶[0021] - loading of, and execution of modified binaries for operating systems); 
updating a binary map with an address referred to in a load command in accordance with executing the load command in the first binary file (At least see ¶[0107] - every rewritten library that is loaded, there are a series of entries made into the memory bitmap. For each page of virtual memory allocated to a library, the address of the virtual memory page is added as a lookup value in the memory bitmap at 1142, 1144, and 1146); 
updating a runtime function table with a function referred to in an indirect external function call in accordance with executing an assignment of the indirect external function call in the first binary file (At least see ¶[0050] - process step 224 where dependent libraries are recursively imported to the child process. These libraries are received from the import tables stored in Program.exe and every loaded library. Following the import of dependent libraries, the child process is transmitted to process step 225. At process step 225, the Program.exe entry point is called. The entry point is a location that represents the beginning of the code for execution); and 
executing the first binary file, wherein during the executing the first binary file, the CFI check function is executed (At least see ¶[0035] -improved CFI system and method of the present invention, CFI instrumentation inserts two tags to execute label identification. The first tag is positioned before any instruction that would result in an indirect control flow transfer and requires the program to execute a check), wherein the method further comprises first determining, in accordance with executing the CFI check function, a function referred to in an associated indirect function call is not contained within the RFT (At least see ¶[0115] -improved CFI system method the present invention, a preferable type of the disassembler uses a code traversal algorithm starting at the Program.exe entry point. The processing at this step will reveal all the pointers in the sections of the disassembled binary code. Once the pointers have been revealed, the process will conduct a recursive descent traversal on each of these pointers to ensure that all of the code sections are covered. During this process of conducting the recursive descent traversal on the pointers, there are determinations whether any of the sections are program data that cannot be executed);Application No. 16/552,534Preliminary Amendment Attorney Ref. HW744883and 
executing, in accordance with the first determining a function referred to in an associated indirect function call is not contained with the RFT, the associated indirect function call (At least see ¶[0068] -prior to code execution, operating dynamically at runtime or statically by hooking pointers to memory locations of instrumented code. The system of the present invention operates the instrumented code using a separate table, distinct from the structure of certain linkages by using a server to generate hooks and instrumented code), after further determining: 
the function referred to in the associated indirect function call is contained within a second binary file having an address contained in the binary map, and the second binary file is determined to have been compiled in a legacy manner (At least see ¶[0130] -If there is an entry in the hash table as shown at 1122, which points to an entry in the rewritten code in rewritten code 1120, execution is turned over to the address in the rewritten code as shown at 1140 of vectorized exception handler 1124. Since there is a mapping, the instruction pointer is set to 0xB and binary execution continues).  

Per claim 17: 
Wesie discloses: 
loading the first binary file for execution (At least see ¶[0021] - loading of, and execution of modified binaries for operating systems); 
updating a binary map with an address referred to in a load command in accordance with executing the load command in the first binary file updating a runtime function table with a function referred to in an indirect external function call in accordance with executing an assignment of the indirect external function call (At least see ¶[0022] - a cache for rewritten binaries, allowing for the inclusion of Windows DLLs, as well as third-party DLLs, allowing for rapid application loading, management of binary-level updates); 
executing the first binary file (At least see ¶[0021] -modification of, loading of, and execution of modified binaries for operating systems), 
wherein during the executing the first binary file, the CFI check function is executed, wherein the method further comprises first determining, in accordance with executing the CFI check function, a function referred to in an associated indirect function call is not contained within the RFT (At least see ¶[0115] -improved CFI system method the present invention, a preferable type of the disassembler uses a code traversal algorithm starting at the Program.exe entry point. The processing at this step will reveal all the pointers in the sections of the disassembled binary code. Once the pointers have been revealed, the process will conduct a recursive descent traversal on each of these pointers to ensure that all of the code sections are covered. During this process of conducting the recursive descent traversal on the pointers, there are determinations whether any of the sections are program data that cannot be executed); and 
executing, in accordance with the first determining a function referred to in an associated indirect function call is not contained with the RFT, the associated indirect function call (At least see ¶[0068] -prior to code execution, operating dynamically at runtime or statically by hooking pointers to memory locations of instrumented code. The system of the present invention operates the instrumented code using a separate table, distinct from the structure of certain linkages by using a server to generate hooks and instrumented code), after further determining: the function referred to in the associated indirect function call is contained within a second binary file having an address contained in the binary map (At least see ¶[0020] -A control flow map is generated with recursive-to-linear code analysis and the proper indirect transfer locations are then catalogued in a white-list.exp file. If there are any attempts to effect indirect control transfer, such a transfer is cross-referenced against the .exp file to determine if the target is valid), 
the second binary file is determined to not have been compiled in a legacy manner (At least see ¶[0012] -instrumentation would be designed for potential application only to programs that incorporate its protections before the code is compiled and, as such, there could be strong familiarity with the knowledge of the code), andApplication No. 16/552,534Preliminary Amendment 
Attorney Ref. HW744883the function referred to in the associated indirect function call is contained within a reduced function table associated with the second binary file (At least see ¶[0068] -prior to code execution, operating dynamically at runtime or statically by hooking pointers to memory locations of instrumented code. The system of the present invention operates the instrumented code using a separate table, distinct from the structure of certain linkages by using a server to generate hooks and instrumented code).  

Per claim 18: 
Wesie discloses: 
loading the first binary file for execution (At least see ¶[0021] - loading of, and execution of modified binaries for operating systems); 
updating a binary map with an address referred to in a load command (At least see ¶[0022] - a cache for rewritten binaries, allowing for the inclusion of Windows DLLs, as well as third-party DLLs, allowing for rapid application loading, management of binary-level updates); 
updating a runtime function table with a function referred to in an indirect external function call in accordance with executing an assignment of the indirect external function call in the first binary file (At least see ¶[0080] - hash table is an added component to the binary execution process. The hash table is a static structure that is appended to the end of the modified (rewritten) binary code. The hash table will contain pointers from the Native code section of the binary code to the code's logically equivalent section of the rewritten code); and  
executing the first binary file, wherein during the executing the first binary file, the CFI check function is executed, wherein the method further comprises first determining, in accordance with executing the CFI check function, a function referred to in an associated indirect function call is not contained within the RFT (At least see ¶[0115] -improved CFI system method the present invention, a preferable type of the disassembler uses a code traversal algorithm starting at the Program.exe entry point. The processing at this step will reveal all the pointers in the sections of the disassembled binary code. Once the pointers have been revealed, the process will conduct a recursive descent traversal on each of these pointers to ensure that all of the code sections are covered. During this process of conducting the recursive descent traversal on the pointers, there are determinations whether any of the sections are program data that cannot be executed); and 
executing, in accordance with the first determining a function referred to in an associated indirect function call is not contained with the RFT, the associated indirect function call (At least see ¶[0068] -prior to code execution, operating dynamically at runtime or statically by hooking pointers to memory locations of instrumented code. The system of the present invention operates the instrumented code using a separate table, distinct from the structure of certain linkages by using a server to generate hooks and instrumented code), the associated indirect function call (At least see ¶[0068] -prior to code execution, operating dynamically at runtime or statically by hooking pointers to memory locations of instrumented code. The system of the present invention operates the instrumented code using a separate table, distinct from the structure of certain linkages by using a server to generate hooks and instrumented code), after further determining:  

function referred to in the associated indirect function call is contained within a second binary file having an address contained in the binary map, the second binary file is determined to not have been compiled in a legacy manner (At least see ¶[0068] -prior to code execution, operating dynamically at runtime or statically by hooking pointers to memory locations of instrumented code. The system of the present invention operates the instrumented code using a separate table, distinct from the structure of certain linkages by using a server to generate hooks and instrumented code), 
the function referred to in the associated indirect function call is not contained within a reduced function table associated with the second binary file (At least see ¶[0115] -improved CFI system method the present invention, a preferable type of the disassembler uses a code traversal algorithm starting at the Program.exe entry point. The processing at this step will reveal all the pointers in the sections of the disassembled binary code. Once the pointers have been revealed, the process will conduct a recursive descent traversal on each of these pointers to ensure that all of the code sections are covered. During this process of conducting the recursive descent traversal on the pointers, there are determinations whether any of the sections are program data that cannot be executed), and 
the function referred to in the associated indirect function call is contained in the runtime function table (At least see ¶[0054] - CFI call stub will include a tag. At 404, the target program's call tag is read. The decision block at 406 determines whether there is a match of the tags. If there is a match, there is a valid tag at the Callee program and the process will proceed to 408 and the target function will be called).  

Per claim 19: 
Wesie discloses: 
loading the first binary file for execution (At least see ¶[0021] - loading of, and execution of modified binaries for operating systems); updating a binary map with an address referred to in a load command in accordance with executing the load command in the first binary file (At least see ¶[0022] - a cache for rewritten binaries, allowing for the inclusion of Windows DLLs, as well as third-party DLLs, allowing for rapid application loading, management of binary-level updates); 
updating a runtime function table with a function referred to in an indirect external function call in accordance with executing an assignment of the indirect external function call in the first binary file (At least see ¶[0080] - hash table is an added component to the binary execution process. The hash table is a static structure that is appended to the end of the modified (rewritten) binary code. The hash table will contain pointers from the Native code section of the binary code to the code's logically equivalent section of the rewritten code); 
executing the first binary file, wherein during the executing the first binary file, the CFI check function is executed, wherein the method further comprises first determining, in accordance with executing the CFI check function, a function referred to in an associated indirect function call is not contained within the RFT (At least see ¶[0053] -a general overview of the CFI system of the present invention is shown generally at 300. According to FIG. 3, a binary code 302, the Call Site, has CFI stub 304 inserted in it before indirect control transfer "call foo ( )" 306. CFI stub 304 will include a validation tag that will be compared with the call tag at 312 of Callee (foo) 310, also see ¶[0054] - CFI call stub will include a tag. At 404, the target program's call tag is read. The decision block at 406 determines whether there is a match of the tags. If there is a match, there is a valid tag at the Callee program and the process will proceed to 408 and the target function will be called); and 
executing, in accordance with the first determining executing, in accordance with the first determining a function referred to in an associated indirect function call is not contained with the RFT, the associated indirect function call (At least see ¶[0068] -prior to code execution, operating dynamically at runtime or statically by hooking pointers to memory locations of instrumented code. The system of the present invention operates the instrumented code using a separate table, distinct from the structure of certain linkages by using a server to generate hooks and instrumented code), the associated indirect function call (At least see ¶[0068] -prior to code execution, operating dynamically at runtime or statically by hooking pointers to memory locations of instrumented code. The system of the present invention operates the instrumented code using a separate table, distinct from the structure of certain linkages by using a server to generate hooks and instrumented code), after further determining: 
the function referred to in the associated indirect function call is contained within a second binary file having an address contained in the binary map, and the function referred to in the associated indirect function call is contained in the runtime function table (At least see ¶[0022] - a cache for rewritten binaries, allowing for the inclusion of Windows DLLs, as well as third-party DLLs, allowing for rapid application loading, management of binary-level updates).  

Per claim 20: 
Wesie discloses: 
runtime function table is stored in a protected non-transitory media readable by the processor (At least see ¶[0095] -Hash table 808 is preferably loaded into non-executable memory).  

Per claim 21: 
Wesie discloses: 
binary map is stored in a protected non-transitory media readable by the processor (At least see ¶[0077] - memory bitmap is a runtime data structure that provides a resolution mechanism for the location of remapped code).  


6.	Claims 10-12 and 22-24 are rejected under 35 U.S.C. 103 as being unpatentable over Wesie et al. in view of Yang et al., and further in view of Janos Baji-Gal (US Patent Application Publication No. 2017/0103210 A1 Baji-Gal).

Per claim 10: 
Wesie modified by Yang does not explicitly discloses: indirect function call comprises an indirect function call assigned as part of a data structure. 

However, Baji-Gal discloses:
indirect function call comprises an indirect function call assigned as part of a data structure (At least see ¶[0019] - tag values associated with at least the first or second vertices can be stored at a predetermined offset memory location from the indirect function call and/or the function). 
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to incorporate Baji-Gal into Wesie modified by Yang because based on the Integrated Control Flow Graph (ICFG) which transforms or converts indirect function call into a direct function call, where an indirect call or indirect jump has only one valid target then such indirect call or indirect jump can be transformed into a direct call or direct jump which improves performance by eliminating erroneous branch predictions and/or helping speculative execution in the processor at runtime as once suggested by Baji-Gal (please see ¶[0006]).

Per claim 11: 
Wesie modified by Yang does not explicitly discloses: indirect function


However, Baji-Gal discloses:
indirect function (At least see Abstract: classification tags can be used to convert indirect function call into direct function calls).   
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to incorporate Baji-Gal into Wesie modified by Yang because based on the Integrated Control Flow Graph (ICFG) which transforms or converts indirect function call into a direct function call, where an indirect call or indirect jump has only one valid target then such indirect call or indirect jump can be transformed into a direct call or direct jump which improves performance by eliminating erroneous branch predictions and/or helping speculative execution in the processor at runtime as once suggested by Baji-Gal (please see ¶[0006]).


Per claim 12: 
Wesie modified by Yang does not explicitly discloses: indirect function call further comprises an indirect function call assigned as an assembly function call.  
 
However, Baji-Gal discloses:
indirect function call further comprises an indirect function call assigned as an assembly function call (At least see above stated pseudo code, two functions fi and fv can be implemented with a function pointer call pfv to function fv, followed by a direct call to function fv. Similar control flow instructions can be implemented for function fi (not shown). At the assembly level the original unprotected pseudo code).  
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to incorporate Baji-Gal into Wesie modified by Yang because based on the Integrated Control Flow Graph (ICFG) which transforms or converts indirect function call into a direct function call, where an indirect call or indirect jump has only one valid target then such indirect call or indirect jump can be transformed into a direct call or direct jump which improves performance by eliminating erroneous branch predictions and/or helping speculative execution in the processor at runtime as once suggested by Baji-Gal (please see ¶[0006]).

Per claim 22:
Wesie does not explicitly discloses: indirect function call comprises an indirect function call assigned as part of a data structure. 

However, Baji-Gal discloses:
indirect function call comprises an indirect function call assigned as part of a data structure (At least see ¶[0019] - tag values associated with at least the first or second vertices can be stored at a predetermined offset memory location from the indirect function call and/or the function). 
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to incorporate Baji-Gal into Wesie because based on the Integrated Control Flow Graph (ICFG) which transforms or converts indirect function call into a direct function call, where an indirect call or indirect jump has only one valid target then such indirect call or indirect jump can be transformed into a direct call or direct jump which improves performance by eliminating erroneous branch predictions and/or helping speculative execution in the processor at runtime as once suggested by Baji-Gal (please see ¶[0006]).

Per claim 23: 
Wesie modified by Yang does not explicitly discloses: indirect function


However, Baji-Gal discloses:
indirect function (At least see Abstract: classification tags can be used to convert indirect function call into direct function calls).   
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to incorporate Baji-Gal into Wesie modified by Yang because based on the Integrated Control Flow Graph (ICFG) which transforms or converts indirect function call into a direct function call, where an indirect call or indirect jump has only one valid target then such indirect call or indirect jump can be transformed into a direct call or direct jump which improves performance by eliminating erroneous branch predictions and/or helping speculative execution in the processor at runtime as once suggested by Baji-Gal (please see ¶[0006]).

Per claim 24:
Wesie modified by Yang does not explicitly discloses: indirect function call further comprises an indirect function call assigned as an assembly function call.  
 
However, Baji-Gal discloses:
indirect function call further comprises an indirect function call assigned as an assembly function call (At least see above stated pseudo code, two functions fi and fv can be implemented with a function pointer call pfv to function fv, followed by a direct call to function fv. Similar control flow instructions can be implemented for function fi (not shown). At the assembly level the original unprotected pseudo code).  
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to incorporate Baji-Gal into Wesie modified by Yang because based on the Integrated Control Flow Graph (ICFG) which transforms or converts indirect function call into a direct function call, where an indirect call or indirect jump has only one valid target then such indirect call or indirect jump can be transformed into a direct call or direct jump which improves performance by eliminating erroneous branch predictions and/or helping speculative execution in the processor at runtime as once suggested by Baji-Gal (please see ¶[0006]).






CONCLUSION
7.	I.	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 


	II.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZIAUL A. CHOWDHURY whose telephone number is (571)270-7750.  The examiner can normally be reached on 9:30PM 6:30PM Monday -Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hyung S. Sough can be reached on 571-272-6799.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ZIAUL A CHOWDHURY/Primary Examiner, Art Unit 2192                                                                                                                                                                                                                                                                                                                                                  
                                         6/22/2021